Query Details

Identity Blast Radius 2

Query

//Identity Blast Radius 2 KQL
//https://www.linkedin.com/feed/update/urn:li:activity:7177358332662337536/

//A different approach of deriving identity blast radius, instead of using DefenderXDR schema we now use Sentinel User and Entity Behavior Analytics (UEBA) IdentityInfo schema to derive the high blast radius & risk user and their associated logon devices to trace the potential attack path for remediation purposes.

let HighRiskUsers =
IdentityInfo
| where BlastRadius == "High" and ChangeSource == "UEBA"
| where RiskLevel == "High" and RiskState == "AtRisk"
| distinct AccountSID;
DeviceLogonEvents
| where AccountSid has_any(HighRiskUsers)
| summarize by AccountName, DeviceName
| sort by AccountName

// MITRE ATT&CK Mapping

// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query is identifying high-risk user accounts, which could be indicative of compromised or misused valid accounts.
// T1078.001 - Valid Accounts: Default Accounts:
// If the high-risk users include default accounts, this technique would be relevant.
// T1078.002 - Valid Accounts: Domain Accounts:
// If the high-risk users include domain accounts, this technique would be relevant.
// T1078.003 - Valid Accounts: Local Accounts:
// If the high-risk users include local accounts, this technique would be relevant.
// T1078.004 - Valid Accounts: Cloud Accounts:
// If the high-risk users include cloud accounts, this technique would be relevant.
// T1059 - Command and Scripting Interpreter:
// The use of KQL itself can be mapped to this technique as it involves scripting and querying.
// T1087 - Account Discovery:
// The query is effectively performing account discovery by identifying high-risk accounts.
// T1110 - Brute Force:
// If the high-risk users were identified due to brute force attempts, this technique would be relevant.

Explanation

This KQL query is designed to identify high-risk user accounts and their associated devices for potential security threats. Here's a simplified breakdown:

  1. Identify High-Risk Users:

    • The query first looks at the IdentityInfo table to find users with a "High" blast radius and risk level, specifically those flagged by the User and Entity Behavior Analytics (UEBA) system as "AtRisk".
    • It collects the unique security identifiers (SIDs) of these high-risk users.
  2. Find Associated Devices:

    • It then checks the DeviceLogonEvents table to find logon events involving these high-risk users.
    • The query extracts and lists the account names and device names where these users have logged in.
  3. Purpose:

    • The goal is to trace potential attack paths by identifying which devices these high-risk users have accessed, aiding in remediation efforts.
  4. MITRE ATT&CK Techniques:

    • The query aligns with several MITRE ATT&CK techniques, indicating it can help identify compromised accounts, whether they are default, domain, local, or cloud accounts.
    • It also involves account discovery and could relate to brute force attempts if those were the reason for the high-risk designation.

Overall, this query helps security teams focus on users and devices that might be part of a security incident, allowing them to take targeted actions to mitigate risks.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

IdentityInfoDeviceLogonEvents

Keywords

IdentityInfoUEBARiskLevelRiskStateAccountSIDDeviceLogonEventsAccountNameDeviceName

Operators

let|whereanddistincthas_anysummarize bysort by

Actions

GitHub